Microsoft advises users to maintain their Exchange servers up to date as well as take precautions such as turning on Windows Extended Protection and setting up the certificate–based signing of PowerShell serialization payloads.
The software giant’s Exchange Team said that attackers attempting to target unpatched Exchange servers would not stop. The value of unpatched on-premises Exchange infrastructure to hostile actors attempting to steal data or carry out other wrongdoing is too great.
Microsoft also noted that the mitigations it has released are just a temporary fix and may “become inadequate to guard against all permutations of an attack,” requiring users to apply the required security upgrades to secure the servers.
Due to various security holes in the program that have been leveraged as zero-day bugs to hack into computers, Exchange Server has emerged as a profitable attack vector in recent years.
ProxyOracle, ProxyLogon, ProxyShell, ProxyNotShell, ProxyToken, and a ProxyNotShell mitigation bypass known as OWASSRF are just a few of the sets of vulnerabilities that have been found in Exchange Server only in the last two years. Some of them have already been widely exploited in the field.
This week, Bitdefender released a technical alert that referred to Exchange as a “perfect target” and detailed several attacks that had used the ProxyNotShell / OWASSRF exploit chains since late November 2022.
Martin Zugec of Bitdefender said, “Exchange has a complicated network of frontend and backend services, including old code to offer backward compatibility.” Backend services trust the requests coming from the frontend layer.
Another factor is that many backend services operate under the Exchange Server account, which has SYSTEM capabilities. The vulnerabilities might provide the attacker unrestricted access to the remote PowerShell service, allowing them to run malicious commands.
To that purpose, in Austria, Kuwait, Poland, Turkey, and the United States, assaults using the ProxyNotShell and OWASSRF weaknesses were directed against the consulting, legal, manufacturing, real estate, wholesale, and arts and entertainment sectors.
According to the Romanian cybersecurity firm, “these kinds of server-side request forgery (SSRF) attacks enable an adversary to send a tailored request from a vulnerable server to other servers to access resources or information that are otherwise not directly accessible.”
Instead of being focused and targeted, most assaults are reported to be opportunistic, with infections leading to an effort to install web shells and remote monitoring and management (RMM) tools like ConnectWise Control and GoTo Resolve.
Web shells provide a permanent remote access method, enabling criminal actors to carry out a variety of additional operations and even resell access to other hacker organizations for money.
The fact that some of the staging servers used to host the payloads were previously compromised Microsoft Exchange servers themselves raises the possibility that the assaults were scaled up using the same method.
Adversaries’ failed attempts to download Cobalt Strike and a Go-based implant with the codename GoBackClient that can acquire system information and generate reverse shells were also seen.
The developers of Cuba’s (also known as COLDDRAW) ransomware, UNC2596 (also known as Tropical Scorpius), have a history of abusing Microsoft Exchange vulnerabilities. The BUGHATCH downloader was dropped using the ProxyNotShell exploit sequence in one attack.
Although the original infection vector is always changing and threat actors are eager to take advantage of every new chance, Zugec said that their post-exploitation actions are well known. A defense-in-depth architecture is the strongest defense against current cyberattacks.